diff --git a/cmd/ingress-operator/start.go b/cmd/ingress-operator/start.go index e548062b8f..70f9d76361 100644 --- a/cmd/ingress-operator/start.go +++ b/cmd/ingress-operator/start.go @@ -34,7 +34,7 @@ const ( // that is mounted from configmap openshift-ingress-operator/trusted-ca. defaultTrustedCABundle = "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" defaultGatewayAPIOperatorChannel = "stable" - defaultGatewayAPIOperatorVersion = "servicemeshoperator3.v3.0.0" + defaultGatewayAPIOperatorVersion = "servicemeshoperator3.v3.0.3" ) type StartOptions struct { diff --git a/manifests/02-deployment-ibm-cloud-managed.yaml b/manifests/02-deployment-ibm-cloud-managed.yaml index 9e2d14fce8..e0a029221f 100644 --- a/manifests/02-deployment-ibm-cloud-managed.yaml +++ b/manifests/02-deployment-ibm-cloud-managed.yaml @@ -53,7 +53,7 @@ spec: - name: GATEWAY_API_OPERATOR_CHANNEL value: stable - name: GATEWAY_API_OPERATOR_VERSION - value: servicemeshoperator3.v3.0.0 + value: servicemeshoperator3.v3.0.3 image: openshift/origin-cluster-ingress-operator:latest imagePullPolicy: IfNotPresent name: ingress-operator diff --git a/manifests/02-deployment.yaml b/manifests/02-deployment.yaml index ebbc5dbd73..90729e1ba4 100644 --- a/manifests/02-deployment.yaml +++ b/manifests/02-deployment.yaml @@ -82,7 +82,7 @@ spec: - name: GATEWAY_API_OPERATOR_CHANNEL value: stable - name: GATEWAY_API_OPERATOR_VERSION - value: servicemeshoperator3.v3.0.0 + value: servicemeshoperator3.v3.0.3 resources: requests: cpu: 10m diff --git a/pkg/operator/controller/gatewayclass/istio.go b/pkg/operator/controller/gatewayclass/istio.go index 6bc4dd1823..f3b1369ced 100644 --- a/pkg/operator/controller/gatewayclass/istio.go +++ b/pkg/operator/controller/gatewayclass/istio.go @@ -83,11 +83,6 @@ func desiredIstio(name types.NamespacedName, ownerRef metav1.OwnerReference) *sa // then our Istiod instance might try to reconcile gateways // belonging to an unrelated Istiod instance. "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": controller.OpenShiftDefaultGatewayClassName, - // Watch Gateway API and Kubernetes resources in all namespaces, - // but ignore Istio resources that don't match our label - // selector. (We do not specify the label selector, so this - // causes Istio to ignore all Istio resources.) - "PILOT_ENABLE_GATEWAY_CONTROLLER_MODE": "true", // Only reconcile resources that are associated with // gatewayclasses that have our controller name. "PILOT_GATEWAY_API_CONTROLLER_NAME": controller.OpenShiftGatewayClassControllerName, @@ -95,6 +90,19 @@ func desiredIstio(name types.NamespacedName, ownerRef metav1.OwnerReference) *sa // "multi-network gateways". This is an Istio feature that I // haven't really found any explanation for. "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false", + // Rename the CA Bundle CM used by the Gateway Control Plane + // to avoid conflicts with a User Istio Control Plane. + "PILOT_CA_CERT_CONFIGMAP": "openshift-gw-ca-root-cert", + // Only create CA Bundle CM in namespaces where there are + // Gateway API Gateways + "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", + // Don't copy labels or annotations from gateways to resources + // that Istiod creates for that gateway. This is an Istio- + // specific behavior which might not be supported by other + // Gateway API implementations and that could allow the end-user + // to inject unsupported configuration, for example using + // service annotations. + "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", } return &sailv1.Istio{ ObjectMeta: metav1.ObjectMeta{ @@ -148,7 +156,7 @@ func desiredIstio(name types.NamespacedName, ownerRef metav1.OwnerReference) *sa IngressControllerMode: sailv1.MeshConfigIngressControllerModeOff, }, }, - Version: "v1.24.3", + Version: "v1.24.4", }, } } diff --git a/test/e2e/gateway_api_test.go b/test/e2e/gateway_api_test.go index 0bb591dd99..8d41ad7dc6 100644 --- a/test/e2e/gateway_api_test.go +++ b/test/e2e/gateway_api_test.go @@ -15,6 +15,7 @@ import ( iov1 "github.com/openshift/api/operatoringress/v1" operatorclient "github.com/openshift/cluster-ingress-operator/pkg/operator/client" operatorcontroller "github.com/openshift/cluster-ingress-operator/pkg/operator/controller" + util "github.com/openshift/cluster-ingress-operator/pkg/util" corev1 "k8s.io/api/core/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" @@ -259,6 +260,14 @@ func testGatewayAPIManualDeployment(t *testing.T) { t.Fatalf("Failed to create gateway %v: %v", gatewayName, err) } t.Cleanup(func() { + if t.Failed() { + t.Logf("Dumping gateway %q...", gatewayName) + var gateway gatewayapiv1.Gateway + if err := kclient.Get(context.Background(), gatewayName, &gateway); err != nil { + t.Errorf("Failed to get gateway %v: %v", gatewayName, err) + } + t.Log(util.ToYaml(gateway)) + } if err := kclient.Delete(context.Background(), &gateway); err != nil { if !errors.IsNotFound(err) { t.Errorf("Failed to delete gateway %v: %v", gatewayName, err) @@ -266,7 +275,7 @@ func testGatewayAPIManualDeployment(t *testing.T) { } }) - interval, timeout := 5*time.Second, 1*time.Minute + interval, timeout := 5*time.Second, 5*time.Minute t.Logf("Polling for up to %v to verify that the gateway is accepted...", timeout) if err := wait.PollUntilContextTimeout(context.Background(), interval, timeout, false, func(context context.Context) (bool, error) { if err := kclient.Get(context, gatewayName, &gateway); err != nil { diff --git a/test/e2e/util_gatewayapi_test.go b/test/e2e/util_gatewayapi_test.go index c3cf2c24e2..5fc8c61d85 100644 --- a/test/e2e/util_gatewayapi_test.go +++ b/test/e2e/util_gatewayapi_test.go @@ -1035,7 +1035,7 @@ func assertDNSRecord(t *testing.T, recordName types.NamespacedName) error { t.Helper() dnsRecord := &v1.DNSRecord{} - err := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 1*time.Minute, false, func(context context.Context) (bool, error) { + err := wait.PollUntilContextTimeout(context.Background(), 10*time.Second, 10*time.Minute, false, func(context context.Context) (bool, error) { if err := kclient.Get(context, recordName, dnsRecord); err != nil { t.Logf("Failed to get DNSRecord %v: %v; retrying...", recordName, err) return false, nil